PAPER D
AUDIT PANEL - 21 OCTOBER
2004
REPORT OF THE CHIEF INTERNAL AUDITOR
This report is to provide the Panel with a summary of Internal Audit activity completed since the last report of 29th July 2004. The Panel is invited to note the contents of the report and to seek clarification of any issues arising from audits undertaken.
BACKGROUND
In keeping with good corporate governance practice, a Panel of elected members should have oversight of the activities of the Internal Audit Service for the following purposes:
v The Panel should monitor Internal Audit’s performance, both in terms of the quality and quantity of its work;
v The Panel should satisfy itself that Internal Audit has devoted its attention to the appropriate issues;
v The Panel should consider the results of Internal Audit reviews to ensure that any significant findings are addressed, including control weaknesses and to ascertain whether, in the opinion of the Chief Internal Auditor, adequate and satisfactory responses have been given by the Authority’s management;
v The Panel should recommend, if necessary, that further attention should be given to some of the issues raised;
To facilitate this process, attached as appendix A are synopses and summaries of significant audit work completed since 29th July 2004 this year.
Appendix B contains full executive summary reports of audits performed on the council’s corporate governance arrangements and the risk management framework. These are reported to the Panel in a fuller format as we take the view that the review of the overarching arrangements for the achievement of good corporate governance and risk management should be the highest priority for the Audit Panel. The purpose of performing these audits was to inform internal audit’s view as to the reliability of the contents of the Statement of Internal Control which was produced after the end of financial year 2003/2004 but related to the control arrangements that existed during that financial year. Therefore, both reports relate to the same period and members should be aware when reading these reports that they relate to a particular period in time and some of the issues identified in these reports have moved on since 31st March 2004.
At the last meeting, members queried the status of recommendations made in respect of the audit of Industrial Sites which at that time had not been fully resolved with departmental management in Property Services. We can now confirm that all three recommendations suggested in the audit report have been agreed. In brief, the recommendations were:
v In order to ensure business continuity in the event of key personnel becoming unavailable for whatever reason, that data held in the property database should be more comprehensive so that a clear trail of how decisions regarding rent levels etc have been arrived at. This would allow officers unfamiliar with this area to continue managing the operation in the absence of key personnel. It was further recommended that temporary clerical support be sought for a short period to populate the database with the additional information needed.
v In order to ensure full recovery of electricity and water recharges at Lowtherville Industrial Estate, the Principal Estates Surveyor should identify the causes of undercharging and rectify the situation.
v The property file should include information relating to how the tenant applied for the site. References should be taken for every new tenant.
PROGRESS ON THE INTERNAL AUDIT PLAN FOR 2004/2005
The end of September is half way through the financial year and is an opportunity to report progress against the audit plan. There has been slippage in progress which means that it is unlikely that the whole plan will be completed by the end of the financial year. The causes of slippage are as follows:
v Assumptions about staffing resources when the original plan was formulated have proven to be incorrect as a combination of a staff member leaving and anticipated job evaluation grade increases have stressed the budget so that we cannot safely fill the vacancy without risking a budgetary overspend.
v Completing projects from the previous financial year, particularly core systems audits required by the Audit Commission has taken longer than anticipated which reduces the amount of time available for current years projects.
v Our involvement in supporting the GAGs initiative by seconding a member of staff to the GAGs team and by the heavy involvement of the ICT auditor in providing project assurance to the various strands of GAGs has further reduced our capacity to deliver planned projects.
v The number of special investigations has exceeded expectations which again reduces the amount of time available for planned projects.
Two initiatives are being pursued to mitigate the effects of the anticipated non-completion of the whole plan:
FINANCIAL, LEGAL, CRIME AND DISORDER IMPLICATIONS
There are no significant financial or legal implications of this report, given that it is a progress report on the Internal Audit function. The Panel is reminded that the Council is required by statute (the Accounts and Audit Regulations) to have an adequate and effective Internal Audit function.
RELEVANT PLANS, POLICIES, STATEGIES AND PERFORMANCE INDICATORS
None
CONSULTATION PROCESSES
None
BACKGROUND PAPERS USED IN THE PREPARATION OF THIS REPORT
Audit project files held by G Richardson – ext 3683
APPENDIX A
1. S17 of the Childrens Act 1989 – Childrens Services
This audit was carried out as
part of the 2004-05 Audit Plan. The purpose of Section 17 expenditure is to
enable vulnerable children to continue to stay with their families by providing
small-scale practical support to the family through hardship payments. This
support may range from assistance in buying essential household equipment such
as a cooker to procuring necessary clothing for a child such as a pair of
shoes. The budget for financial year 2004/05 is £80,500.
The overall objective of this
audit was to seek to provide assurance to management that the internal control
system supports the achievement of management’s objectives.
Only partial Assurance can be given that the internal control
system is operating satisfactorily.
Significant findings were that
the internal control system was not operating in accordance with financial
procedures in relation to segregation of duties:-
v
There was
a lack of Internal control in respect of the segregation of duties within the
Social Services Department;
v
Processing
of invoices lacked appropriate signatory control within the creditor payments
section.
We have made 3 recommendations for improvement
all of which have been accepted by management, and 2 follow up actions for
audit services.
2.
The Council Tax System
The overall objective of the
audit is to provide assurance to management that effective controls and
procedures are in place to ensure that the Council Tax System is operating
effectively.
The audit was carried out by interviewing relevant officers and carrying out
testing on selected areas to determine the level of compliance with Council
policy and procedures.
Overall the systems in place within Council Tax are sound with
effective controls and procedures in place. There were no major areas of
concern however four recommendations have been made, which are of a minor
nature and refer to the administration of the service.
Assurance can therefore be given to management that the systems in
place are operating satisfactorily.
3.
Risk Based Review of Coastal Management
The audit was
carried out as part of the 2004-05 Audit Plan agreed by the Audit Committee on
29th July 2004. The overall objectives were to provide assurance to management
that the objectives of the service are being met and that appropriate risk
mitigation strategies are in place and operating satisfactorily.
5
recommendations have been made to management as a result of this audit to
improve the effectiveness of Risk Management. The recommendations are
summarised as-
·
As part of the 2005-06 budget process consult with
the Chief Financial Officer as to the possibility of part funding an Accounting
Technician to make better use of management time
·
To review the IW Oil Spills Contingency Plan to
ensure the information is accurate and current
·
To update the Quality Management System to include
procedures for storage of electronic information
·
To ensure backed up electronic information is stored
effectively
·
To discuss with the Risk Management Group the need
for further risks to be entered on the Corporate Risk Register
As part of the audit process
Risk Treatment Action Plans were completed with the Coastal Section. These
document the current controls implemented by the section to manage the risk and
planned actions to improve the management of risks. These planned actions
include:
·
The identification of skills shortages through the
PDP process
·
The completion of round two of the Shoreline
Management Plan
·
Development of the IW Coastal Visitors Centre and
website to maximise dissemination of information
·
Development of an action plan for preparing for the
impacts of climate change
·
Bid for resources to carry out Ventnor Groundwater
feasibility study.
Assurance can be given to management that
·
overall the objectives of the service are being met
and that current risk mitigation strategies are operating satisfactorily and,
·
that the planned actions once implemented will
improve the management of risk and increase the likelihood of the achievement
of objectives.
4.
Risk Based Review of Homelessness
The audit was carried
out as part of the 2004-05 Audit Plan agreed by the Audit Committee on 29th
July 2004. The overall objectives were to provide assurance to management that
the objectives of the service are being met and that appropriate risk
mitigation strategies are in place and operating satisfactorily.
Several minor recommendations have been made
to management as a result of this audit. These relate to-
·
verifying the identity of homeless applicants,
·
to reviewing the impact of the requirement for applicants
and private rented accommodation to be served with a court order prior to
eviction,
·
to institute annual checks on temporary
accommodation, and
·
continue discussions with software developers
regarding the provision of management information.
As part of the audit process
Risk Treatment Action Plans were completed with the Homelessness Section. These
document the current controls implemented by the section to manage the risk and
planned actions to improve the management of risks. These planned actions
include:
·
Fast tracking of Housing Benefit claims with Housing
Officers carrying out Verification Framework processes
·
Identification of empty homes and increased use of
Empty Homes Management Orders
·
Introduction of mediation service and increased home
visits to reduce the demands on the service
·
Planned addition of 350 permanent units through
Housing Associations and private development
·
To implement an education programme working with
schools, 16+ workers and Connexions
Assurance can be given to management that
·
overall the objectives of the service are being met
and that current risk mitigation strategies are operating satisfactorily and,
·
that the planned actions once implemented will
improve the management of risk and increase the likelihood of the achievement
of objectives.”
5.
GAGS – GENERAL
We continue to support the
GAGS programme in a number of ways, primarily providing risk management and
assurances services consistent with the Prince2 project management methodology. We continue to attend the Programme Board
meetings and “host” the GAGS Programme Risk Register, facilitating regular
updates of the register. We have been
instrumental in improving programme controls, for example, the management of
risk and the formulation of the approach to benefit realisation.
We continue
to support the CRM project and provide risk management and assurances
services. We attend the Project Board
and periodically issue our one-page assurance report. We have also been involved in the testing of Phase 3 of the CRM
system and the development of the controls in Phase 4. We “host” the CRM Risk Register,
facilitating regular updates of the register.
We act as facilitators for the CRM Working Group, the forum that is
responsible for the future direction of the system. Our involvement ensures appropriate consideration is given to
controls and risks, including more recently advice on the legislative
considerations of proposed functionality to register and authenticate customers
contacting the authority and the sharing of customer data.
We continue to support the
DIP project and provide risk management and assurances services. We attend the Project Board and periodically
issue our one-page project assurance report.
Latterly we have worked closely with the project manager to drive out a
system for recording, monitoring and tracking project benefits – a set of
protocols and templates we have shared with other projects. We “host” the DIP Risk Register,
facilitating regular updates of the register.
Our current activity has
been to review the selection criteria and the application of those criteria for
the purposes of short-listing the suppliers to go through to the next stage.
We continue to support the
ACCISS replacement project in a number of ways, primarily providing risk
management and assurances services consistent with the Prince2 project
management methodology. We continue to
attend the Project Board meetings and regularly issue our one-page project
assurance report. Latterly we have
worked closely with the project manager to develop a system for assessing the
operational preparedness of SWIFT (Launch Criteria assessments). We facilitated the assessment of the Go-Live
decision in September (which ultimately concluded that launch should be
deferred). We completed our work on the
selection of the software solution for Supporting People, concluding with a
review of the management process (and decision) to select an alternative product
to SWIFT (SPOCC). We are planning our
work to assist in the selection of the product for Homecare.
On the 25th June we
conducted the second risk based ICT audit defined under our new ICT Audit
framework. The documentation is
currently being drafted in readiness for review by key stakeholders. At this time it can be reported that the
current overall result will be RED – this is defined as – “a significant threat
exists to the achievement of objectives”.
We are currently working on the risk treatment action plans to manage
the risks identified. These will be
dependent on better alignment between the respective business and ICT
strategies, going forward. The approach
going forward has been discussed with senior management and the initial step
will be to facilitate a workshop in November 2004 to map the business and
technology drivers and undertake a gap analysis. One of the key areas to address is the timetable for and the
sequence of service planning.
In June we started a body
of work to review the Council’s business continuity recovery plans, building on
the work conducted by Marsh. This work
aligns with the Directors’ Group report currently being drafted by the Chief
Fire Officer. Our concern, one shared
by the Chief Fire Officer, is that we have no adequate processes in place to
maintain the service recovery plans we have put in place. Additionally, without further work, the
plans will remain incomplete and inconsistent in a number of areas. Additionally, we have started work with the
Technical Standards Group to prepare Standards and templates for the
preparation of the ICT component of the Business Continuity and Service
Recovery plans for all areas.
We are currently working with the Libraries, Museums and
Archives Manager in an advisory capacity to produce the appropriate project
documentation for a number of projects and we are providing risk registers and
will help with developing risk mitigation strategies.
We are working with the Extended Schools Co-ordinator in
an advisory and assurance capacity, assisting in the development of the risk
profile for the Extended Schools Strategy.
We are currently working with the Head of Democratic
& Legal Services to draft a governance structure for the recently merged
Drug Action Team and Crime & Disorder Partnership (“Safer Communities
Partnership”).
We are currently working with the Library Service to
develop the appropriate form of partnership agreement (including governance
structure) between the Service and the Isle of Wight College.
We are currently working
with colleagues from Policy, ICT and the Learning Centre to construct a
training programme and a best practice guide for project management as part of
the CPA Improvement Plan. This has also
required us to evaluate providers for the training programme and evaluate various
software products.
We have worked with
colleagues to prepare a “risk profile” report to facilitate the strategic
decisions to be taken in respect of the re-integration of Wight Leisure. The initial part of this work was the risk
profiling to support the decisions regarding the classification of “activity
areas” which has been used to determine the most appropriate provider for the
activity 9both internal and external).
The second part of this work is the risk profiling to support the
business case for the redevelopment of Westridge.
APPENDIX B
1.1 Introduction
The Local Government Act 2000 is challenging for local authorities. A common
theme running through all of the Government’s requirements is the need for
local authorities to review the various systems and processes they have in
place for managing both their own internal affairs and their relationships with
key stakeholders. Together these systems and processes comprise corporate
governance. The concept and principles of corporate governance are directly
relevant to local authorities and to the Governments aim of democratic
renewal.
The purpose of this report is to
assess the level to which the IOW Council are complying with the underlying
principles of good corporate governance in accordance with the CIPFA/SOLACE
framework and to form an opinion of the effectiveness of the Council’s ability
to demonstrate compliance with the framework.
Summary of Significant Findings
During financial year 2003/2004 the Council did not have it’s own local
code of corporate governance. However, subsequent to the conclusion of the
financial year, a Statement of Internal Control was developed which satisfies
much of the requirements of a corporate governance code and to fully comply
with the requirement will be developed further.
Members and senior officers are responsible for putting in place proper
arrangements for the governance of the council’s affairs and the stewardship of
the resources at its disposal. The code should be consistent with the
principles and reflect the requirements of the CIPFA/SOLACE framework
(Corporate Governance in Local Government: A Keystone for Community Governance).
A copy of the code should be made available to the general public on the
council’s website.
Many of the procedures, protocols and codes of conduct etc., which are key
components of corporate governance, are documented in the council’s
Constitution. This is available to the general public on the councils website
however it is presented as a continuous scroll with no page breaks. The hard
copy of the document has a great many
pages and therefore navigating the document on the website is very
difficult. Steps should be taken to improve this with page numbering and an
index.
Gifts and Hospitality registers is an area of weakness with some service teams
using a central directorate register, others using their own individual team
registers and others having no register at all. The guidance issued refers to directorate registers however in
practise the service teams in some directorates are spread over a wide area and
in these circumstances using just one register is impractical.
Declarations/Registers of Interest was also noted as an area of weakness.
Procedures are set out in the Codes of Conduct for both members and officers.
For members a standard item is included on the agenda for all council meetings.
However for officers the code only states that interests are to be “declared to
the line manager” with no mention of “in writing”. The procedure has been
tightened up and all members of staff are now required to complete a
declaration of interests, which is reviewed in the PDR process. Staff with no
interests to declare are required to complete a nil return. Our findings
revealed that many of the service teams were unaware of these requirements and
their staff had not completed the forms.
1.3 Overall Conclusion
The Council have
many of the systems and procedures in place that conform
to the principles of good
corporate governance. These have been developed
over a number of years in an
ad-hoc manner and are generally sound.
However, they are now being
pulled together to provide a more coherent and
structured approach.
To enhance this process, it is recommended that the Council develops further the Statement of Internal Control so that it encapsulates the full requirements of a local code of corporate governance, which is officially approved and adopted. This document should be reviewed at least annually in order to provide assurance that it is both adequate and effective and also to measure the level of the Council’s compliance with the modified Statement.
Standards of Conduct is an area in which codes of conduct for both
members and officers are in place and are generally adhered to. However it
was noted that in some instances evidence of compliance is inadequate.
Steps have been taken to improve this area and regular reviews should be
undertaken to
ensure that widespread compliance is maintained.
The IOW Council is
generally complying with the underlying principles of
good corporate governance in
accordance with the CIPFA/SOLACE
framework. However, there
are areas where improvements are
required before the Council
can be considered to be fully complying with the
framework. The Council must
also be able to demonstrate compliance with
the framework and whilst
procedures and processes are in place to do this
they are not always being
followed.
1.4 Acknowledgements
I would like to take
this opportunity to thank all members of staff for their co-
operation and assistance in
carrying out this review.
Internal
Audit Action Plan
Title of Report: Corporate Governance
Date Final Report issued:
Main Findings |
Possible Consequences |
Action Required |
Priority |
Responsibility |
Target Date |
1) The Council does not have a local code of corporate
governance. |
Failure to meet expected standards of performance and
conduct. |
Incorporate the code in the Statement of Internal Control
|
1 |
Paul Wilkinson John Lawson |
01/01/2005 |
2) There is a requirement to set standards and targets
for performance in the delivery of services on a sustainable basis. Need tc
clarify meaning of sustainable as can mean ongoing regular basis or environmentally
sustainable. There is a need to embed performance management into the
organisational culture. |
Emphasis on wrong aspect of service delivery. |
Clarify the meaning of the word sustainable in this
instance. Improving ownership of the performance management agenda. |
2 |
John Bentley |
01/01/2005 |
3) Whilst some local performance indicators have been
developed more are required to assist the measurement of performance in many
of the service areas. |
Inaccurate and incomplete measurement of performance. |
Develop additional local performance indicators. |
2 |
John Bentley |
01/01/2005 |
4) No evidence that resources were allocated according to
priorities in the 2003/04 budget. The budget process for 2004/05 has been more closely
linked to the service planning framework. |
Significant risks may not be appropriately mitigated |
Use risk management framework as one of the mechanisms
for prioritisation and resource
allocation. |
2 |
Paul Wilkinson |
11/10/2004 |
5) In view of the number of Partnerships that the Council
has there is a need for a framework to be developed to ensure a corporate
approach is maintained. |
Inconsistent agreements with different partners may
reduce their effectiveness. |
Develop a partnership framework. |
2 |
John Lawson |
01/01/2005 |
6) The Constitution is a continuous scroll on the
intranet, which makes it a very slow process to find information. |
Time wasting and poor public perception. Due to navigational difficulties staff may not be aware
of the requirements of the Constitution. |
The Constitution on the intranet should include page
numbers and an index to assist navigation. |
3 |
John Lawson |
01/01/2005 |
7) The Members’ Allowance Scheme is now reviewed by the
Independent Remuneration Panel and not the Chief Financial Officer as stated
in the Constitution. The new decision making structure is not reflected in the
Scheme. |
Constitution and Members’ Allowance Scheme not in line
with current practices. |
Update the Constitution to reflect the new process for
reviewing the Members Allowance Scheme. Update the Members’ Allowance Scheme in line with the new
council structure. |
3 |
John Lawson |
01/01/2005 |
8) Whilst there is an Anti Fraud and Corruption Policy
and Strategy in place it has not been reviewed recently. |
Inconsistencies between the Policy and Strategy and
current practices. |
Review the Anti Fraud & Corruption Policy and
Strategy. |
2 |
Ged Richardson |
01/01/2005 |
9) A number of Service Units did not have a Gifts &
Hospitality register and generally the process of reviewing those existing
registers was inconsistent. |
Failure to comply with the relevant legislation. |
Set up a Gifts & Hospitality Register for each
Service Unit. Head of Service to review registers every quarter. Director to review Heads of Service registers. Chief Executive to review Directors registers. Monitoring Officer to review Chief Executives register. Amend relevant sections of Constitution and Codes of
Conduct for Officers. |
1 |
S.M.T. |
01/11/2004 |
10) A number of Service Units were unaware that all
members of staff were required to complete a Declaration of Interests form. |
Failure to comply with the relevant legislation. |
Service Heads to ensure current staff complete a form of
declaration. All new members of staff to complete a form at the same
time as signing their contract of employment. |
1 |
S.M.T. |
01/11/2004 |
Priority Rating :- 1 – Serious control weakness requiring immediate action. 2 - Control weakness requiring action within follow up period.
3
– Low priority control weakness requiring action within timescale determined by
management.
RISK MANAGEMENT
August 2004
To assess the level to which Risk Management has been embedded within the Isle of Wight Council and
to form a view on the adequacy and effectiveness of the strategy, framework and
process for managing risk within the Authority.
Corporate requirements for
Risk Management in the Isle of Wight Council?
The Corporate Plan 2002 –2005 : Excellence in Service Delivery:
“To improve our risk management & financial control procedures we
will develop and implement a Risk Management Strategy for the Council.
The CPA
Improvement Plan 2003: In
response to the District Audit letter the Council will take the following
actions to improve Risk Management:
·
Review and restructure
strategic and operational risk groups
·
Set up a new
computerised Risk register
·
Embed Risk Management
into service planning
·
Provide Risk Management
training for key members and senior officers.
·
Cascade risk management
training down through the council
The Annual Action statement 2003/04:- Strategically driven service delivery-
“Deliver the Risk Management Strategy “ (CPA Action)
The Annual Action Statement 2004/05:- Leadership priorities 2004/05-
“Risk Management – attention will focus on roll out of Risk Management
to service level – Comprehensive Service Risk Register in place by Dec 04”
The Role of Internal Audit in Risk
Management
The role of Internal Audit
in an organisation is to review the policies and processes in place to assess
their effectiveness. Risk Management is no different to any other process.
However, Internal Audit and Risk Management have common aims: the mitigation
and control of risk. An assessment of the adequacy and effectiveness of the
Authority’s Risk Management process provides a means for Internal Audit to
contribute to the organisations Risk Management programme.
In addition the progress in
complying with the requirements of the CPA Improvement Plan , Corporate Plan
and Annual Action Statement will be measured and reported on.
Individual Objectives
To enable an overall opinion
to be formed on the level to which Risk Management has been embedded within the
Isle of Wight Council an audit programme was developed that identified a number
of key objectives that have to be individually satisfied in order to achieve
compliance with the Authority’s aim.
Interviews were held with
Heads of Service, the Compliance and Risk Manager and officers of the Insurance
and Risk section and documentary evidence obtained to enable an opinion to be
formed.
Appendix A shows the
findings from the above and makes recommendations for improvement.
Risk
Maturity Model
To enable Internal Audit to
form a view on the effectiveness of the Risk Management Strategy an audit
programme was developed that will assess the level of integration of Risk
Management through five levels:-
1.
Awareness and
understanding
2.
Implementation
planned and in progress
3.
Implementation
in all key areas
4.
Embedded and
improving
5.
Excellent
capability established
It is expected that Risk
Management will be cascaded down through the Authority and therefore different
levels of integration should be found throughout the Authority at any one
moment in time. To assess the level of integration the following key areas have
been examined
1.
Leadership:
Do senior managers and members support and promote risk management
2.
Risk Strategy
and Policies: Is there a clear risk strategy and are there risk policies
3.
People: Are
people equipped and supported to manage risk well
4.
Partnerships
and resources: Are there effective arrangements for managing risks with
partners and are there appropriate supporting resources.
5.
Processes: Do
the organisation’s processes incorporate effective risk management.
6.
Risk
handling: Are risks handled well.
7.
Outcomes :
Does risk management contribute to achieving outcomes.
The Risk Maturity model used
was originally developed by HM Treasury for central government and therefore
was deemed to be an appropriate choice for use in a Local Authority environment
It is anticipated that the
level of compliance will vary at any one time throughout the authority
therefore findings will reflect the overall picture unless there are a
significant variations between areas and levels.
Appendix B shows the
position for 2003-04 and the anticipated level for 2004-05 based upon actions
in progress.
Conclusion
The Isle of Wight Council
has progressed well from a zero starting point in 2003-03 in its aim to embed
risk management into the processes and policies of the organisation. However,
the organisation needs to drive the process of maturing risk management to
consistently build on the work of the last eighteen months. The recommendations
made in Appendix A if implemented will assist the aims of the CPA improvement
plan.
From the Risk Maturity model
in Appendix B one main area of concern is the lack of risk management within
partnership working. It is recommended therefore that the first target for
addressing this issue is a Risk Workshop and the creation of a risk register
for the Local Strategic Partnership.
Alison Bean
Audit Services
August 2004
ACTION PLAN
Objective |
Findings |
2003/04 |
2004/05
+ |
Recommendations |
Action
by |
Target
date |
1.The
strategic goals of the organisation are defined in objectives that meet the
SMART criteria |
The
IW Council has on overall mission – “to improve Island life” . Achievement of
this mission is through 6 strategic
aims, which are in turn split into key objectives. The Annual Action
Statement identifies the tasks to be completed within the year to achieve
these objectives. |
Whilst
the mission and strategic aims are not SMART the key objectives and actions
identified within the Annual Action Statement help to define specific
actions, and timescales for achieving
those actions, that work towards the achievement of objectives. |
The
Annual Action Statement for 2004/05 was presented to the Executive on the 16th
June 2004 where it was adopted. |
Consideration
is being given to refreshing the strategic aims to identify whether they are still relevant. It may be useful
to complete this exercise post May 2005 following the Council election. The
authority has a multitude of plans (corporate plan, CPA Improvement plan etc)
developed in some cases independently of each other. To assist officers to
understand how they can contribute to each plan and how the plans relate to each
other the intranet site should have a simple one page diagram of how each
plan “fits together” and its aims. |
Head
of Policy & Communications Head
of Policy & Communications |
31.12.2005 31.12.2004 |
2.There
is a corporate policy on Risk Management, formally adopted by the authority
and promoted by the Council’s senior management including members |
The
Risk Management Framework for the Council
“ Risk Management at the Isle
of Wight Council” was approved
by the Strategic Risk Group in March 2004. It has been posted on the
Insurance and Risk Management Section Intranet page. A member champion for
Risk Management has been identified. The strategy includes terms of reference
for the Risk Management group and the Strategic Risk group, and roles and
responsibilities for each group and individual officers . |
Strategy
adopted March 2004 |
The
majority of the actions identified within the Risk Management policy are
aimed to be implemented within 2004/05 |
The
framework identifies within the body of the text the actions to be taken
across the authority to imbed Risk Management. Appendix G identifies the
annual timetable that provides a plan of when actions should be taken but it
is recommended that this is amended to include who is responsible for
ensuring actions are taken and the review and response mechanism for
confirming the timetable has been
adhered to and a performance
measurement system implemented |
Chief
Financial Officer |
.31.12.2004 |
3.Corporate
risks are identified and recorded effectively |
A
corporate risk register is held on the Risk 2003 database held by the
Insurance and Risk Management section. |
Completed |
Corporate
risks emerging as part of service planning will be passed to the S Risk Management Group
in October |
|
|
|
4.Business
and service plans are developed with the need to manage risks of all kinds in
mind |
Service
planning from the summer of 2004 will include the requirement for each Head
of Service to provide a service risk register and link the risks to service
planning |
N/a |
Service
planning to include service Risk Registers |
The
process for risk identification at service level is well documented within
the Risk Management Strategy. It is recommended that a similar timetable and list of
responsibilities is developed for the identification, classification and
recording of risks by Directors and Members |
Chief
Financial Officer |
31.12.2004 |
5.Procedures
are in place to ensure the identification of risks provides a complete
picture and does not solely consider financial risks |
Service
planning guidance issued to all heads of service defines risk as “a threat
that an event or action will adversely affect an organisations ability to
achieve its objectives and successfully execute its policies” |
Guidance
provided |
|
It
is recommended that the service and corporate risk registers are monitored to
ensure that all risks are considered and that there is not an over emphasis
on financial risks |
Chief
Financial Officer |
.Ongoing |
6.Procedures
are in place to measure the impact /likelihood of risks occurring |
The
Service risk register guidance produced for 2004/05 includes a matrix that “scores”
risks on a scale of remote, unlikely, likely and very likely for probability
and low, medium, high and major for impact. |
Used
in the creation of the corporate and strategic registers and at workshops
held by Insurance & Risk and the Audit Section |
Used
for service risk planning for 2004/05 |
|
|
|
7.Procedures
are in place so that decisions as to whether or not to accept risks are
properly taken |
Appendix
G of the Risk Management Framework – Roles
and Responsibilities – identifies the Head of Service as responsible for
managing service risks whilst the Director is responsible for managing
strategic risks. |
N/a |
From
2004/05 |
Risk
acceptance or treatment is the responsibility of management. Quality
assurance of the Risk Management process is allocated to the Risk Management
group. It is therefore recommended that they monitor the number of risks
where no action is taken and provide guidance as required for appropriate
risk mitigation strategies. |
Chief
Financial Officer |
Ongoing |
8.Once
a risk has been identified both the risk and the mitigation strategy are allocated owners who are
responsible for monitoring the performance of the risk and acting upon
findings |
The
Risk Management Framework identifies the Strategic Risk group as responsible
for performance monitoring of strategic risks and the Risk Management group
for Corporate risks. Heads of Service are responsible for risks within the
service risk register |
Not
in place for 2003-04 |
From
2004 -05 |
The
owners and responsibilities for corporate and strategic risks are identified
within the Risk Management Framework. It is recommended that for service
risks the performance of quality assurance processes in respect of Risk
Management records and systems as allocated to the Risk Management group is
better defined to include guidance on how and when the risk management
process at service level is measured. Greater clarity is required for the
role of the Audit Panel. |
Chief
Financial Officer |
31.03.2005 |
9.Advice
on the treatment of risk / loss is provided centrally to all levels in the organisation to provide a consistent
approach to the treatment of risk |
Risk
treatment is less well defined and responsibility for risk treatment action
plans lies with the risk owner. The Insurance and Risk Section are able to
provide advice on the treatment of risk but their role should be more clearly
defined and training provided where necessary. |
Not
in place 2003-04 |
|
It
is recommended that whilst responsibility for risk treatment remains with
management, more central support is available for guidance on risk treatment |
Chief
Financial Officer |
. ongoing |
10.Realistic
/ appropriate timetables are established for the implementation of risk
mitigation strategies with established procedures for obtaining additional
funding where required |
As
risk management is only being implemented at service level in the current round
of service planning it is too early to state whether timescales are
achievable or appropriate. It is anticipated that major risks will be
identified within service planning
and funding requested as required |
Not
in place for 2003-04 |
Service
planning during the summer of 2004 should identify key risks and applications
for funding made as appropriate. |
It
is recommended that guidance is issued to ensure that the distinction between
growth bids and risk bids is clear and in the case of risk bids the appropriate
method is used. |
Chief
Financial Officer |
31
12 2004 |
11.Proposals
for the treatment of risk are identified, documented and presented to
decision makers |
Proposals
for the treatment of risk are identified for risks on the corporate and strategic
risk registers, with control measures allocated a status (proposed, approved,
in progress, implemented and withdrawn) As service risk register are in the
majority incomplete, or non existent then risk treatment is yet to be
considered. |
Satisfactory
system for identifying and documenting treatment for corporate and strategic
risk |
It
is anticipated that service risks will document risk mitigation in a similar
method as employed for strategic and corporate risks. |
|
|
|
12.Procedures
are in place for evaluation of the effectiveness of risk treatment / control
procedures |
Limited
performance management has been carried out on strategic and corporate risk
treatment procedures and none for service risks. |
Limited
review of risk treatment performance has been carried out |
Proposals
for performance management of risk treatment plans have been discussed at
risk management forums in June / July 2004 |
It
was stated at the Risk Management group in June 2004 that “risk owners need
simply to update the group at each meeting to inform them as to how a risk is
behaving” and performance management of service risks is not in the terms of
reference of the Risk Management group. It is recommended that if this is to
remain the position of the group then they should ensure that sufficient
knowledge and expertise of risk management is available at service level and
it will be necessary to provide additional support to service risk owners
whilst the authority is maturing its risk management processes. |
Chief
Financial Officer |
31.3.2005 |
13.Procedures
are in place to monitor the behaviour of risks and the effectiveness of risk
mitigation strategies adopted through the use of performance indicators |
There
is very little evidence that the authority has progressed to the point that
risk mitigation strategies can be measured through the use of performance
indicators |
None
for 2003-04 |
|
The
Risk Management strategy states that risks will be “performance managed in an
appropriate way”. Expansion on this
statement needs to be considered by the Risk Management group and guidance and training as required at
all levels of the authority is considered. Consideration should be given to
developing the use of the P.I facility within the Risk 2003 database. |
Chief
Financial Officer |
31.3.2005 |
14.There
is evidence that risk registers are regularly reviewed and updated |
There
is evidence that the corporate and strategic risk register have been reviewed
during 2003-04 |
Evidence
for corporate and strategic risks for 2003-04 |
The
Risk management strategy states the updating the service risk registers will
be the responsibility of service heads. However service heads will be
required to update the Risk Management group quarterly on the status of
control measures used to mitigate risks |
The Risk management group will need to monitor the
quarterly response from service heads to ensure the registers are being
regularly reviewed and updated. |
Chief Financial Officer |
Ongoing |
15.Training
/ guidance on risk issues is provided to meet assessed needs |
The
Risk Management group will act as a
forum for raising awareness across the authority. |
The
terms of reference for the Risk forums were not in place until March 2004
however facilitated risk workshops held with directors groups and service
heads during the year |
Guidance
provided for service risk registers for summer 2004. Facilitated Risk workshops
held with Directors groups and Heads of service |
Recommended
that information is obtained from across the authority on the level and
nature of training required on risk management issues and an appropriate
training plan devised |
Chief
Financial Officer |
. 31.3.2005 |
16.There
are appropriate forums for considering risk, including Terms of reference,
accountabilities, reporting framework and support |
The
Strategic Risk Group and Risk Management group have Terms if reference, roles
and responsibilities have been defined within the Risk Management Framework. |
Not
formally in place until end of 2003/04 although groups have been meeting
throughout the year. |
In
place for 2004/05 |
Recommended
that the terms of reference are reviewed later in 2004/05 to identify
compliance with and adjustments that may be necessary to constitution of risk
forums. Terms of reference should be devised for the Audit Panel to clarify
their role within Risk Management |
Chief
Financial Officer |
31.3.2005 |
17.There
is awareness amongst Service Managers and Team Leaders of risk management
principles |
Risk
Management is being cascaded down through the authority. Several service
managers have risk registers already in place although for the majority this
is a fairly new area. Internal Audit are carrying out a number of risk based
audits during the next three years that have a completed risk register as one
output. |
Approximately
45 percent of team leaders and service managers have knowledge of risk
management. |
More
workshops are planned with service managers throughout 2004-05. These will be
facilitated by both Internal Audit and Insurance and Risk sections. |
There
are very limited resources within the two sections to actively introduce risk
management at lower levels of the authority. Consideration should be given
within service planning and resource allocation to increase the resources
that can be committed to embedding risk management within the authority |
Chief
Financial Officer |
. 31.3.2005 |
Risk
maturity Framework Isle of Wight Council
|
Level 1
Awareness & understanding |
Level 2
Implementation planned and in progress |
Level 3
Implementation on all key areas |
Level 4
Embedded and improving |
Level 5
Excellent capability established |
Leadership:
do senior management and members support and promote risk management |
Top
management are aware of need to manage uncertainty & risk and have made
resources available to improve |
Senior
Managers & members take the lead to ensure that approaches are being
developed and implemented |
Senior
managers act as role models to apply risk management consistently and
thoroughly across the organisation |
Top down
commitment with embedding and integrating risk management as routine business
practice |
Senior
managers reinforce and sustain risk capability, organisational and business
resilience and commitment to excellence. Leaders invited to speak at
conferences about their success |
Risk
Strategy & policies: is there a clear risk strategy and risk policies |
Policies
and strategies reviewed against risk principles |
Risk
management principles are reflected in the organisation’s policies &
strategies & communicated effectively |
Risk
policies and strategies are communicated effectively and made to work through
a framework of processes |
Risk
handling is an inherent feature of all policies and strategy making processes |
Risk
management capability in policy & strategy making is reviewed and
improved. Role model status |
People:
Are people equipped and supported to manage risk well |
Key
people are aware of the need to assess and manage risks and they understand
risk concepts and principles |
Suitable
guidance is available and a training programme has been implemented to
develop risk capability |
A core
group of people have the skills and knowledge to manage risk effectively |
People
are encouraged and supported to be more innovative . regular training is
available for people to enhance their risk skills |
All
staff are risk aware and capable of using basic risk skills . tools and
techniques |
Partnerships
& Resources: Are there effective arrangements for managing risks with
partners and are there appropriate supporting resources |
Key
people are aware of areas of potential risk with partnerships, suppliers and
management of significant resources and understand the need to agree
approaches to manage these risks |
Approaches
for addressing risk with partners and when managing assets and financial and
other resources are being developed and implemented |
Risk
with partners is managed consistently for all key areas and across
organisational boundaries |
Sound
governance arrangements established partners & suppliers selected on
basis of risk capability & compatibility |
Information
integrity and asset security are assured. Financial and other resources
effectively managed. Organisation regarded as a role model |
Processes:
Do the organisation’s processes incorporate effective risk management |
Some
stand alone risk processes have been identified |
Recommended
risk management processes are being developed |
Risk
management processes implemented in key areas. Risk capability self
assessment tools used in some areas |
Risk
metrics are collected. Risk management standards applied in some areas |
Management
of risk & uncertainty is well integrated with all business processes.
State of the art tools & methods are used. Selected as a benchmark site
by other organisations |
Risk
Handling: Are risks handled well |
No clear
evidence that risk management is being effective |
Limited
evidence that risk management is being effective in all relevant areas |
Clear
evidence that risk management is being
effective in all relevant
areas |
Very
clear evidence that risk management is being very effective in all areas |
Excellent
evidence that risk management is being highly effective in all areas and
improvement is being pursued |
Outcomes:
Does risk management contribute to achieving outcomes. |
No clear
evidence of improved outcomes |
Limited
evidence of improved outcome performance consistent with improved risk
management |
Clear
evidence of significant improvements in outcome performance demonstrated by
measures including, where relevant, stakeholders perceptions |
Very
clear evidence of very significant
improved performance for all relevant outcomes and showing positive and
sustained improvement |
Excellent
evidence of markedly improved outcome performance which compares favourable
with other organisations employing best practice |
Key
In place 2003/04 |
In progress for 2004/05 |
Limited
compliance 2003-04 |